Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-32223
Publication date:
14/07/2022
Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be exploited if the victim has the following dependencies on a Windows machine:* OpenSSL has been installed and “C:\Program Files\Common Files\SSL\openssl.cnf” exists.Whenever the above conditions are present, `node.exe` will search for `providers.dll` in the current user directory.After that, `node.exe` will try to search for `providers.dll` by the DLL Search Order in Windows.It is possible for an attacker to place the malicious file `providers.dll` under a variety of paths and exploit this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
28/10/2022

CVE-2022-29593
Publication date:
14/07/2022
relay_cgi.cgi on Dingtian DT-R002 2CH relay devices with firmware 3.1.276A allows an attacker to replay HTTP post requests without the need for authentication or a valid signed/authorized request.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2025

CVE-2022-32210
Publication date:
14/07/2022
`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.
Severity CVSS v4.0: Pending analysis
Last modification:
25/07/2022

CVE-2022-32225
Publication date:
14/07/2022
A reflected DOM-Based XSS vulnerability has been discovered in the Help directory of Veeam Management Pack for Microsoft System Center 8.0. This vulnerability could be exploited by an attacker by convincing a legitimate user to visit a crafted URL on a Veeam Management Pack for Microsoft System Center server, allowing for the execution of arbitrary scripts.
Severity CVSS v4.0: Pending analysis
Last modification:
20/07/2022

CVE-2022-28876
Publication date:
14/07/2022
A Denial-of-Service (DoS) vulnerability was discovered in F-Secure Atlant and in certain WithSecure products whereby the scanning the aeheur.dll component can crash the scanning engine. The exploit can be triggered remotely by an attacker.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2022

CVE-2022-32212
Publication date:
14/07/2022
A OS Command Injection vulnerability exists in Node.js versions
Severity CVSS v4.0: Pending analysis
Last modification:
23/02/2023

CVE-2022-32222
Publication date:
14/07/2022
A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf that might be accessible under some circumstances to a non-admin user instead of /etc/ssl as was the case in versions prior to the upgrade to OpenSSL 3.
Severity CVSS v4.0: Pending analysis
Last modification:
24/07/2023

CVE-2022-2393
Publication date:
14/07/2022
A flaw was found in pki-core, which could allow a user to get a certificate for another user identity when directory-based authentication is enabled. This flaw allows an authenticated attacker on the adjacent network to impersonate another user within the scope of the domain, but they would not be able to decrypt message content.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2023

CVE-2022-32213
Publication date:
14/07/2022
The llhttp parser
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-32214
Publication date:
14/07/2022
The llhttp parser
Severity CVSS v4.0: Pending analysis
Last modification:
19/07/2023

CVE-2022-32215
Publication date:
14/07/2022
The llhttp parser
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-1662
Publication date:
14/07/2022
In convert2rhel, there's an ansible playbook named ansible/run-convert2rhel.yml which passes the Red Hat Subscription Manager user password via the CLI to convert2rhel. This could allow unauthorized local users to view the password via the process list while convert2rhel is running. However, this ansible playbook is only an example in the upstream repository and it is not shipped in officially supported versions of convert2rhel.
Severity CVSS v4.0: Pending analysis
Last modification:
20/07/2022
Subscribe to Vulnerabilities